{ ... }:

{
  virtualisation.incus.enable = true;
  virtualisation.incus.ui.enable = true;
  # Enabled on server as a whole
  # networking.nftables.enable = true;
  networking.firewall.trustedInterfaces = [ "incusbr0" ];
  virtualisation.incus.preseed = {
    networks = [
      {
        config = {
          "ipv4.address" = "10.0.100.1/24";
          "ipv4.nat" = "true";
        };
        name = "incusbr0";
        type = "bridge";
      }
    ];
    profiles = [
      {
        devices = {
          eth0 = {
            name = "eth0";
            network = "incusbr0";
            type = "nic";
          };
          root = {
            path = "/";
            pool = "default";
            size = "32GiB";
            type = "disk";
          };
        };
        name = "default";
      }
    ];
    storage_pools = [
      {
        config = {
          source = "/var/data/incus/storage-pools/default";
        };
        driver = "dir";
        name = "default";
      }
    ];
  };

  # Dirty hack, should be done through kanidm when setting up unix things
  users.users.lyes.extraGroups = ["incus-admin"];
}